Bug #14612
Pidgin exposes everything through its D-Bus service
100%
Description
See e.g.: https://developer.pidgin.im/wiki/DbusHowto
So Tor Browser can totally sniff your buddy list and send your friends creepy messages.
Disabling this interface some how would solve this, but we’re gonna use it in Tails Server’s client application, to automate account creation, joining the right chat, etc. intrigeri tells me we could do D-Bus mediation with AppArmor once Linux 4.16 is available to us (unless it’s delayed) which sounds ideal.
Subtasks
Related issues
Blocks Tails - |
Resolved | 2017-06-29 |
History
#1 Updated by anonym 2017-09-07 19:21:29
Apparently there is a 5 year old (but unpublished?) CVE for this: https://census-labs.com/news/2012/02/25/libpurple-otr-info-leak/
Upstream ticket: https://developer.pidgin.im/ticket/14830
I think it can be disabled with something like: DBUS_SESSION_BUS_ADDRESS= pidgin
. Otherwise we could always recompile with --disable-dbus
…
#2 Updated by intrigeri 2017-09-10 21:04:50
> I think it can be disabled with something like: DBUS_SESSION_BUS_ADDRESS= pidgin
.
This would likely break input methods and a11y.
#3 Updated by intrigeri 2017-09-11 12:22:01
I think we can forbid all access to that D-Bus interface via D-Bus “security policy” mechanism: see dbus-daemon(1)
and e.g. /usr/share/dbus-1/session.conf
.
#4 Updated by intrigeri 2017-09-11 12:25:14
- Assignee set to intrigeri
- Target version changed from Tails_3.3 to Tails_3.2
- Type of work changed from Research to Code
- Affected tool set to Instant Messaging
#5 Updated by intrigeri 2017-09-11 12:25:29
- blocks
Feature #13234: Core work 2017Q3: Foundations Team added
#6 Updated by intrigeri 2017-09-11 12:25:58
(Seems more urgent than Bug #12460 => replace it on my plate for this release.)
#7 Updated by intrigeri 2017-09-13 09:08:40
- Subject changed from Pidgin exposes everything through its D-Bus interface to Pidgin exposes everything through its D-Bus service
Note to myself: dbus-send --session --print-reply --dest=im.pidgin.purple.PurpleService /im/pidgin/purple/PurpleObject im.pidgin.purple.PurpleInterface.PurpleAccountsGetAll
returns exit code 0 iff. Pidgin is running and I am allowed to talk to its D-Bus service.
#8 Updated by intrigeri 2017-09-13 09:35:41
- Status changed from Confirmed to In Progress
- Assignee changed from intrigeri to anonym
- % Done changed from 0 to 50
- QA Check set to Ready for QA
- Feature Branch set to bugfix/14612-deny-access-to-pidgin-dbus-service
Thankfully that was trivial :) Once Tails Server has some kind of proper privileged backend / unprivileged frontend separation (Bug #12297) I expect it’ll be feasible to give its backend access to the D-Bus interface without broadening the attack surface more than needed.
#9 Updated by anonym 2017-09-15 14:55:21
- Assignee changed from anonym to intrigeri
Woah, apparently we’re already using Pigin’s DBus interface in the automated test suite, see commit:0bc56936a7134f6140df440d1de042d9df9ffada. Fixed with commit:565ed09904b7bbf59359f886cf4cdf5d7cac4203.
I understand if you’d rather have me split that out into a separate branch/ticket for later. What do you think?
#11 Updated by anonym 2017-09-15 17:23:58
- Status changed from In Progress to Fix committed
- Assignee deleted (
anonym) - % Done changed from 50 to 100
- QA Check changed from Ready for QA to Pass
#12 Updated by anonym 2017-09-28 18:50:08
- Status changed from Fix committed to Resolved